When using the OIDC Client with Azure I ran into an issue with Azure including the application roles and security groups in the token. For example, application roles are sent as a JSON array:
"roles": [
"Person.Read",
"Person.Delete",
"Person.Write"
],
The OIDC Client converts the claims in the token into a Token_Claims structure, which holds each claim as a key-value pair. In the Parse_UserClaims server action, the logic converts this List of Token_Claims into JSON and then converts that into an Object. However, the Token_Claims would contain an entry for each role in the array, i.e.:
{"key":"roles","value":"Person.Read"},{"key":"roles","value":"Person.Delete"},{"key":"roles","value":"Person.Write"}
The call to the JSON_Objectify action would fail because it was trying to create an object with multiple attributes of the same name. The error shows up as:
Can not add property roles to Newtonsoft.Json.Linq.JObject. Property with the same name already exists on object.
To get around this, I modified the Parse_UserClaims action. Just after the start node, I added a ListFilter that pulls out all of the claims whose key value is "roles" or "groups". This allowed everything to work successfully, and the roles/groups were still passed on to the OIDCCustomization logic, where I could do the Azure role mapping to OutSystems roles/groups.
Perhaps after review you would consider adding this change to the OIDC Client project.
Hi @Jim Dudley ,Thank you for the feedback, I'll look into it for the next release of the OIDC Client component.Regards,
Just in case it might help someone, here is a quick screenshot of the workaround that Jim described above.
Hi @Jim Dudley,
Version 1.0.6 of the component should have this issue fixed.Regards,